Internal Fraud
Last Reviewed: August 2024
A study of employee frauds showed they lasted a median of 18 months before detection, with a median loss of $140,000. The study showed more than one-fifth of these caused losses of at least $1 million. The longer a perpetrator works for an organization, the higher fraud losses tend to be. TruStage claims records show that over a five-year period, employee dishonesty represented just 13% of fraud claims, but 45% of fraud losses. Many credit unions believe their employees are all trustworthy and that they have strong enough internal controls to prevent internal theft from occurring. Yet, it still occurs.
Internal Fraud: Summary
Many credit unions believe their employees are all trustworthy and that they have strong enough internal controls to prevent internal theft from occurring. Yet, it still occurs.
Fraud does not discriminate. According to TruStage, there is no immunity to this exposure based on geography, asset size, employee tenure, or past experience.
Internal controls are plans, policies, and operational procedures that provide management with reasonable assurance that the credit union's operations and objectives will be achieved in a safe, sound, and prudent manner. A system of effective internal controls is a critical component of credit union management and the basic foundation for safe and sound credit union operation.
The FCU Act, 12 USC 1761(b) states that the board shall have the general direction and control of the affairs of the credit union, including the proper and profitable conduct of credit union operations, the safety of credit union assets, and the accuracy and adequacy of financial statements.
How does a system of internal controls affect credit unions?
The board retains overall responsibility for the affairs of the credit union. Internal controls are part of that responsibility. It will help provide confidence that the credit union will comply with applicable laws and regulations as well as policies, plans, internal rules and procedures. It will also decrease overall risk levels and the likelihood of bad publicity and damage to the credit union’s reputation.
Regulatory authorities expect the board to establish a system of internal controls, in order to maintain control over duties delegated to paid employees.
The board has responsibility for approving and reviewing the credit union’s overall business strategies, plans, and policies. They must understand major risks and set acceptable levels for risk. The board also needs to ensure that management implements the proper programs and procedures to identify, measure, monitor, and control risk. The board is ultimately responsible for ensuring that an adequate and effective system of internal controls is established and maintained.
Effective internal control systems will assist the credit union in decision-making, performance measurement, and risk management. It will also help the credit union management to:
- Detect mistakes, errors, and areas of non-compliance.
- Identify procedures that need to be changed or modified.
- Take action against deliberate violations and illegal acts.
Credit union management must ensure that it places a high importance on internal controls and overall credit union security. It must establish a culture within the credit union that emphasizes the importance of internal controls and ensures that all credit union employees understand their role and function in the process. Management must take proactive steps to:
- Implement board approved internal control strategies and policies.
- Develop programs and procedures to identify, measure, monitor, and control risk.
- Maintain a credit union structure that clearly establishes areas of responsibility, authority, and reporting.
- Ensure that delegated responsibilities and reporting requirements are carried out.
- Establish a system of segregation of duties and a work verification process.
- Monitor and modify policies and procedures as needed.
The NCUA Examiner’s Guide on Fraud outlines the following three ways insider fraud, or internal fraud, is typically conducted:
- Fraudulent Financial Statements – Intentional misstatements within the balance sheet or income statement, such as:
- Intentional violation of policies, internal controls, regulations, or procedures
- Manipulation of accounts, documents, or records
- Forgeries or alteration of documents
- Misappropriation of Assets – Theft of a credit union’s assets by employees and others internal to the organization, including:
- Theft from members’ accounts, overpayment of dividends, and creation of fictitious loans
- Unrecorded or understated deposits
- Fictious fee refunds
- Fake vendor invoices via billing schemes
- Ghost employees or straw borrowers
- Check/share draft kiting
- Intentionally failing to secure collateral, to properly record a security interest in collateral, or pledging a member’s shares as collateral without that member’s permission
- Unrecorded ACH transactions, cash, or credit union check disbursements
- Manipulated suspense accounts
- Corruption – Insider abuse of position for financial gain, examples:
- Unauthorized or unapproved salary or leave advances, overtime, or travel reimbursement
- Knowingly accepting illegally obtained funds for deposit
- Obtaining bribes or receiving kickbacks from third parties or members
- Granting or requesting preferential treatment for anyone for potential financial gain
Internal Fraud: Detection
The National Credit Union Administration (NCUA) provides Insider Fraud Detection resources
These methods include:
- Insider tips.
- Employees should have available avenues to report potential abuse or fraud, including channels to notify the supervisor of the appropriate department, the supervisory or audit committee, the internal audit department, the credit union's fraud hotline, or the credit union's examiner.
- Fraud hotlines.
- Credit union members and staff can submit tips for suspected fraud through the NCUA Fraud Hotline Form, providing details about the situation, the credit union's name, and the suspected individuals involved.
- Audits and management reviews.
- Non-financial transaction report reviews.
- Employee and employee-related account reviews.
- Member account verifications.
- Employee red flag monitoring and follow-up.
If internal fraud does occur, the NCUA recommends credit unions perform the following actions as appropriate:
- Contact the credit union's legal counsel, bond company, law enforcement, and the NCUA's regional office.
- Place the employee on leave, terminating as appropriate after legal consultation.
- Increase the number of supervisory committee audits and verifications.
- Change or limit access to buildings, systems, and accounts.
- Collect keys and change codes as needed to prevent access.
Internal Fraud: Prevention
The National Credit Union Administration (NCUA) provides Fraud Prevention Resources.
To deter insider fraud, the NCUA recommends establishing, periodically reviewing, and enforcing strong internal controls, including the following:
- Establish a stand-alone fraud policy, addressing expectations for preventing fraud, whistle-blowing procedures, mandatory and sequential vacation days, employee conduct, the consequences if fraud is committed, and ongoing fraud awareness training. Require employees to sign this fraud policy annually.
- Segregate duties, which can be done by clearly defining roles and responsibilities for each employee and/or by implementing checks and balances using an outside party.
- Perform background checks on all new hires, board members, and supervisory committee members.
- Monitor employees for lifestyle and behavioral changes.
- Conduct ongoing training for the board of directors and supervisory committee; a credit union will be better able to institute strong internal controls if those with oversight have appropriate fraud training.
- Adopt additional internal controls, including:
- Dual controls,
- Computer access controls,
- Reviews of file maintenance reports,
- Account verifications,
- Surprise cash counts,
- Timely recordkeeping,
- Measures preventing employees from accessing their own and/or family member accounts, and
- Annual audits and surprise audits.
Internal Fraud: Collusion
The CPA Journal describes the key characteristics of collusion fraud, including
- Concealment through collusion among management, employees, or third parties;
- Withheld, misrepresented, or falsified documentation; and
- The ability of management to override or instruct others to override what otherwise appears to be effective controls.
Collusion fraud can be difficult to detect. The CPA Journal recommends anti-fraud measures such as anonymous tip lines, training for managers and employees, and internal audits. Anonymous tip programs are typically the most effective, which should be accompanied by policies that protect employees.
Internal Fraud: Checklist
(All answers should be "Yes" unless they are not applicable.)
- Has the board reviewed, evaluated, and approved a system of internal controls?
- Does the system of internal controls properly identify approrpriate risk and establish reasonable risk levels?
- Has management taken apporopriate steps to implement the system of internal controls?
- Do the board and management periodically review the result of the credit union's operation, in light of the internal control system, and ensure that changes and modifications are made when deficiencies are noted?
- Is the credit union's organization structure proper and effective?
- Are authorities and responsibilities clear and direct?
- Are reporting functions clear and well designed?
- Do the credit union's employees display high levels of integrity, ethics, and competence?
- Are there annual reviews and performance reviews?
- Does the board and management review and act on internal control recommendations noted during audits and examinations?
- Are business strategies formal or informal?
- Is the philosophy and operating style conservative? Aggressive?
- Have the credit union's risk strategies been successful?
- Are there any external influences affecting the credit union's operations and risk management practices (e.g., independent audits)?
Internal Fraud: Laws & Regulations
Internal Fraud: Additional Resources
NCUA Resources:
- NCUA Examiner’s Guide on Fraud
- NCUA Fraud Discovery Checklist for CU Board of Directors
- NCUA Fraud Hotline Form
- NCUA Fraud Prevention Resources
- NCUA Letter 96-CU-04 – Internal Control Structure
Other Resources:
- AICPA Managing the Business Risk of Fraud: A Practical Guide
- CPA Journal The Risks of Fraud Collusion
- Employee/Family Account Disclosure
- Mitigating the Risk of Internal Fraud Whitepaper – Courtesy of the Michigan Credit Union League
Internal Fraud: Model Policies
CU PolicyPro contains the following model content which can be used to help you craft your own policies and guidance on this topic:
- Model Policy 1100: Credit Union Culture and Governance
- 1100.17: Audits
- Model Policy 1500: Staffing and Human Resources
- 1500.10: Whistleblowing Protection
- Model Policy 1645: Fraud
- Model Policy 4300: Computer Security and Control
Click to login if your credit union subscribes to CU PolicyPro.
If you're not sure if your credit union subscribes, contact policysupport@cusolutionsgroup.com for assistance.